Parent epic: #254 (E24: Code Hygiene)
Deferred from the PR #476 (S28.09) CodeRabbit review (zizmor findings #1, #2). Both are project-wide CI posture, not lwIP-specific, so they're bundled into one workflow-hardening sweep rather than bolted onto a single lane.
Scope
-
persist-credentials: false on every actions/checkout step whose job later bind-mounts the repo root (..) into a container (the BDD compose lanes — bdd-freertos-qemu-lwip, bdd-freertos-qemu-plustcp, bdd-linux-syslog-ng, etc.). Currently set nowhere, so the checkout .git credential material is mounted into the behave/QEMU containers.
-
SHA-pin the remaining tag-pinned actions so the whole workflow is zizmor-clean:
dorny/test-reporter@v3 (≈13 occurrences)
actions/cache@v4
uhafner/quality-monitor@v1
actions/checkout is already SHA-pinned; this finishes the job.
Acceptance
zizmor reports no artipacked / unpinned-uses findings on .github/workflows/ci.yml.
- All lanes still green (the pins are equivalents of the current major-version tags).
Notes
Not a blocker for #476 — the credentials exposure is to first-party CI containers only, and the action tags are the same ones already trusted across all lanes. This is hygiene/defence-in-depth.
Parent epic: #254 (E24: Code Hygiene)
Deferred from the PR #476 (S28.09) CodeRabbit review (zizmor findings #1, #2). Both are project-wide CI posture, not lwIP-specific, so they're bundled into one workflow-hardening sweep rather than bolted onto a single lane.
Scope
persist-credentials: falseon everyactions/checkoutstep whose job later bind-mounts the repo root (..) into a container (the BDD compose lanes —bdd-freertos-qemu-lwip,bdd-freertos-qemu-plustcp,bdd-linux-syslog-ng, etc.). Currently set nowhere, so the checkout.gitcredential material is mounted into the behave/QEMU containers.SHA-pin the remaining tag-pinned actions so the whole workflow is zizmor-clean:
dorny/test-reporter@v3(≈13 occurrences)actions/cache@v4uhafner/quality-monitor@v1actions/checkoutis already SHA-pinned; this finishes the job.Acceptance
zizmorreports noartipacked/unpinned-usesfindings on.github/workflows/ci.yml.Notes
Not a blocker for #476 — the credentials exposure is to first-party CI containers only, and the action tags are the same ones already trusted across all lanes. This is hygiene/defence-in-depth.